1
0
forked from bip/bip

Compare commits

..

1 Commits

Author SHA1 Message Date
Loïc Gomez
6542c2a4e1
Also reload SSL context on bip reload, allowing for SSL cert updates
- on BIP reload, check if SSL files are readable, and try to load new
  SSL context.
- on success only, update SSL context for new client connections

This allows for SSL certificate/key updates on /BIP reload or SIGHUP.

Signed-off-by: Loïc Gomez <bip@animanova.fr>
2024-02-08 23:18:06 +09:00
13 changed files with 29 additions and 260 deletions

View File

@ -3,7 +3,7 @@ if COND_WANT_TESTS
endif
SUBDIRS = src . $(MAYBE_TESTS)
dist_man_MANS = bip.1 bip.conf.5 bipmkpw.1 bipgenconfig.1
dist_man_MANS = bip.1 bip.conf.5 bipmkpw.1
examplesdir = $(prefix)/share/doc/bip/examples/
dist_examples_DATA = samples/bip.conf samples/bip.vim

View File

@ -146,7 +146,7 @@ Defines the delay between each logfiles sync to the disk. Must be a non null
positive integer.
.TP
\fBreconn_timer\fP (default: \fB30\fP)
\fBreconn_timer\fP (default: \fB120\fP)
Defines the initial delay (in seconds) before a reconnection attempt.
The delay increases with the number of attempts:
delay = reconn_timer * number of attempts
@ -227,7 +227,7 @@ This option should of course not be enabled if \fBbacklog_lines\fP is 0 !
If you still want to do so, don't forget to \fB/BIP BLRESET\fP sometimes.
.TP
\fBbacklog_lines\fP (default: \fB0\fP)
\fBbacklog_lines\fP (default: \fB10\fP)
If set to 0, BIP will replay all the logs since last client disconnect. Else,
it'll replay exactly \fBbacklog_lines\fP lines on each channel and privates.
Be aware that BIP will replay \fBbacklog_lines\fP lines of all privates, even

View File

@ -94,74 +94,6 @@ if test "$ap_cv_cc_pie" = "yes"; then
enable_pie=yes
fi
AC_CACHE_CHECK([whether $CC accepts hardening flags], [ap_cv_cc_hardening], [
save_CFLAGS=$CFLAGS
save_LDFLAGS=$LDFLAGS
CFLAGS="$CFLAGS -O2 -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fstack-clash-protection -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-z,separate-code"
AC_RUN_IFELSE([AC_LANG_SOURCE([[static int foo[30000]; int main () { return 0; }]])],
[ap_cv_cc_hardening=yes],
[ap_cv_cc_hardening=no],
[ap_cv_cc_hardening=yes]
)
CFLAGS=$save_CFLAGS
])
if test "$ap_cv_cc_hardening" = "yes"; then
CFLAGS="$CFLAGS -O2 -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fstack-clash-protection -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-z,separate-code"
enable_cc_hardening=yes
fi
AC_CACHE_CHECK([whether $CC accepts some warning flags], [ap_cv_cc_warnings], [
save_CFLAGS=$CFLAGS
save_LDFLAGS=$LDFLAGS
CFLAGS="$CFLAGS -Wformat-overflow=2 -Wformat-truncation=2 -Wtrampolines -Warray-bounds=2 -Wimplicit-fallthrough=3 -Wtraditional-conversion -Wshift-overflow=2 -Wstringop-overflow=4 -Wlogical-op -Wduplicated-cond -Wduplicated-branches -Wformat-signedness -Wstack-usage=1000000 -Wcast-align=strict"
AC_RUN_IFELSE([AC_LANG_SOURCE([[static int foo[30000]; int main () { return 0; }]])],
[ap_cv_cc_warnings=yes],
[ap_cv_cc_warnings=no],
[ap_cv_cc_warnings=yes]
)
CFLAGS=$save_CFLAGS
])
if test "$ap_cv_cc_warnings" = "yes"; then
CFLAGS="$CFLAGS -Wformat-overflow=2 -Wformat-truncation=2 -Wtrampolines -Warray-bounds=2 -Wimplicit-fallthrough=3 -Wtraditional-conversion -Wshift-overflow=2 -Wstringop-overflow=4 -Wlogical-op -Wduplicated-cond -Wduplicated-branches -Wformat-signedness -Wstack-usage=1000000 -Wcast-align=strict"
enable_cc_warnings=yes
fi
AC_CACHE_CHECK([whether $CC accepts some supplementary warning flags], [ap_cv_cc_warnings2], [
save_CFLAGS=$CFLAGS
save_LDFLAGS=$LDFLAGS
CFLAGS="$CFLAGS -Wformat=2 -Wformat-security -Wnull-dereference -Wstack-protector -Walloca -Wvla -Wcast-qual -Wconversion -Wshadow -Wstrict-overflow=4 -Wstrict-prototypes -Wswitch-default -Wswitch-enum"
AC_RUN_IFELSE([AC_LANG_SOURCE([[static int foo[30000]; int main () { return 0; }]])],
[ap_cv_cc_warnings2=yes],
[ap_cv_cc_warnings2=no],
[ap_cv_cc_warnings2=yes]
)
CFLAGS=$save_CFLAGS
])
if test "$ap_cv_cc_warnings2" = "yes"; then
CFLAGS="$CFLAGS -Wformat=2 -Wformat-security -Wnull-dereference -Wstack-protector -Walloca -Wvla -Wcast-qual -Wconversion -Wshadow -Wstrict-overflow=4 -Wstrict-prototypes -Wswitch-default -Wswitch-enum"
enable_cc_warnings2=yes
fi
AC_CACHE_CHECK([whether $CC accepts -Warith-conversion flag], [ap_cv_cc_warith], [
save_CFLAGS=$CFLAGS
save_LDFLAGS=$LDFLAGS
CFLAGS="$CFLAGS -Warith-conversion"
AC_RUN_IFELSE([AC_LANG_SOURCE([[static int foo[30000]; int main () { return 0; }]])],
[ap_cv_cc_warith=yes],
[ap_cv_cc_warith=no],
[ap_cv_cc_warith=yes]
)
CFLAGS=$save_CFLAGS
])
if test "$ap_cv_cc_warith" = "yes"; then
CFLAGS="$CFLAGS -Warith-conversion"
enable_warith_conversion=yes
fi
PKG_CHECK_MODULES([CHECK], [check >= 0.9.6], [enable_tests=yes], [enable_tests=no])
AM_CONDITIONAL([COND_WANT_TESTS], [test "$enable_tests" = yes])

View File

@ -86,7 +86,7 @@
# Sets the initial delay (in seconds) before a reconnection attempt.
# The delay increases with the number of attempts:
# delay = reconn_timer * number of attempts
#reconn_timer = 30;
#reconn_timer = 120;
# Network definition, a name and server info
#network {

View File

@ -119,7 +119,7 @@ my %optdesc = (
'optional' => 1,
'depends' => 'log', 'depval' => 'true',
'desc' => 'Do you want to activate backlog {play back logs} system ?' },
'backlog_lines' => { 'type' => 'i', 'adv' => 0, 'default' => '0',
'backlog_lines' => { 'type' => 'i', 'adv' => 0, 'default' => '10',
'optional' => 1,
'depends' => 'backlog', 'depval' => 'true',
'desc' => 'How much line do you want bip to play back upon client connect' .

View File

@ -36,4 +36,9 @@ bipmkpw_LDADD = libbip.a libbiplex.a $(OPENSSL_LIBS)
AM_YFLAGS= -d
BUILT_SOURCES = conf.c conf.h lex.c
AM_CFLAGS=-Wall -Wextra -Werror -Wundef -Wpedantic
AM_CFLAGS=-Wall -Wextra -Werror \
-O2 \
-D_FORTIFY_SOURCE=2 \
-fstack-protector-strong -fstack-clash-protection \
-Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-z,separate-code \
-Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=2 -Wformat-security -Wnull-dereference -Wstack-protector -Wtrampolines -Walloca -Wvla -Warray-bounds=2 -Wimplicit-fallthrough=3 -Wtraditional-conversion -Wshift-overflow=2 -Wcast-qual -Wstringop-overflow=4 -Wconversion -Warith-conversion -Wlogical-op -Wduplicated-cond -Wduplicated-branches -Wformat-signedness -Wshadow -Wstrict-overflow=4 -Wundef -Wstrict-prototypes -Wswitch-default -Wswitch-enum -Wstack-usage=1000000 -Wcast-align=strict

View File

@ -67,7 +67,6 @@ void conf_die(bip_t *bip, char *fmt, ...);
static char *get_tuple_pvalue(list_t *tuple_l, int lex);
void bip_notify(struct link_client *ic, char *fmt, ...);
void adm_list_connections(struct link_client *ic, struct bipuser *bu);
struct link *find_link(const char *link_name, struct bipuser *bu);
void free_conf(list_t *l);
@ -374,45 +373,6 @@ static int add_network(bip_t *bip, list_t *data)
return 1;
}
void adm_bip_jump(struct link_client *ic, const char *conn_name,
int reset_timer)
{
struct link *lnk;
if (conn_name) {
lnk = find_link(conn_name, LINK(ic)->user);
if (!lnk) {
bip_notify(ic, "-- Cannot find connection named %s",
conn_name);
return;
}
goto do_the_jump;
} else {
lnk = LINK(ic);
}
do_the_jump:
if (!lnk->l_server) {
if (reset_timer) {
lnk->recon_timer = 0;
bip_notify(ic,
"-- %s is not connected, "
"timer has been reset, please wait",
conn_name);
return;
}
int timer = (lnk->recon_timer ? lnk->recon_timer : 0);
bip_notify(ic,
"-- %s is not connected, "
"please wait for reconnect (%ds)",
conn_name, timer);
return;
}
WRITE_LINE1(CONN(lnk->l_server), NULL, "QUIT", "jumpin' jumpin'");
connection_close(CONN(lnk->l_server));
bip_notify(ic, "-- Jumping to next server on %s", conn_name);
}
void adm_bip_delconn(bip_t *bip, struct link_client *ic, const char *conn_name)
{
struct bipuser *user = LINK(ic)->user;
@ -704,31 +664,6 @@ static int add_connection(bip_t *bip, struct bipuser *user, list_t *data)
return 1;
}
struct link *find_link(const char *link_name, struct bipuser *bu)
{
list_iterator_t it;
// Immediately return NULL when bip user (bu) is NULL
if (!bu) {
return NULL;
}
for (list_it_init(&_bip->link_list, &it); list_it_item(&it);
list_it_next(&it)) {
struct link *lnk = list_it_item(&it);
if (!lnk)
continue;
// Only lookup in optionally specified user links
if (bu != lnk->user)
continue;
if (strcmp(link_name, lnk->name) == 0)
return lnk;
}
return NULL;
}
static char *get_tuple_pvalue(list_t *tuple_l, int lex)
{
struct tuple *t;
@ -1396,10 +1331,9 @@ void adm_print_connection(struct link_client *ic, struct link *lnk,
bufpos = buf;
list_iterator_t itocs;
int i = 0;
for (list_it_init(&lnk->on_connect_send, &itocs);
list_it_item(&itocs) && i < 10; i++) {
bufpos = bip_strcatf_fit(&remaining, bufpos, " on_connect_send: %s",
list_it_item(&itocs);) {
bufpos = bip_strcatf_fit(&remaining, bufpos, "%s",
(char *)list_it_item(&itocs));
if (!bufpos) {
// if oversized, print and reset
@ -1407,7 +1341,6 @@ void adm_print_connection(struct link_client *ic, struct link *lnk,
bip_notify(ic, "%s", buf);
remaining = LINE_SIZE_LIM;
bufpos = buf;
list_it_next(&itocs);
continue;
} else {
// if ok, go to next item
@ -2059,8 +1992,8 @@ void adm_bip_help(struct link_client *ic, int admin, const char *subhelp)
bip_notify(ic, "/BIP LIST networks|connections");
}
bip_notify(ic,
"/BIP JUMP [-f] [conn_name] # jump to next "
"server (defaults to current network)");
"/BIP JUMP # jump to next server (in same "
"network)");
bip_notify(ic,
"/BIP BLRESET [channel|query]# reset backlog "
"(this connection only). Add -q flag and the "
@ -2113,14 +2046,8 @@ void adm_bip_help(struct link_client *ic, int admin, const char *subhelp)
" Removing a connection will cause "
"its disconnection.");
} else if (strcasecmp(subhelp, "JUMP") == 0) {
bip_notify(ic, "/BIP JUMP [-f] [conn_name]:");
bip_notify(ic, "/BIP JUMP :");
bip_notify(ic, " Jump to next server in current network.");
bip_notify(ic,
" If [conn_name] is set, jump to next server in "
"[conn_name] network instead.");
bip_notify(ic,
" If [-f] flag is used, also resets reconnect "
"timer.");
} else if (strcasecmp(subhelp, "BLRESET") == 0) {
bip_notify(ic, "/BIP BLRESET :");
bip_notify(ic, " Reset backlog on this network.");
@ -2300,16 +2227,12 @@ int adm_bip(bip_t *bip, struct link_client *ic, struct line *line, int privmsg)
bip_notify(ic, "-- Invalid INFO request");
}
} else if (irc_line_elem_case_equals(line, privmsg + 1, "JUMP")) {
if (irc_line_count(line) == privmsg + 2) {
adm_bip_jump(ic, NULL, 0);
} else if (irc_line_count(line) == privmsg + 3) {
adm_bip_jump(ic, irc_line_elem(line, privmsg + 2), 0);
} else if (irc_line_count(line) == privmsg + 4
&& irc_line_elem_equals(line, privmsg + 2, "-f")) {
adm_bip_jump(ic, irc_line_elem(line, privmsg + 3), 1);
} else {
bip_notify(ic, "-- Invalid usage (/BIP HELP JUMP)");
if (LINK(ic)->l_server) {
WRITE_LINE1(CONN(LINK(ic)->l_server), NULL, "QUIT",
"jumpin' jumpin'");
connection_close(CONN(LINK(ic)->l_server));
}
bip_notify(ic, "-- Jumping to next server");
} else if (irc_line_elem_case_equals(line, privmsg + 1, "BLRESET")) {
if (irc_line_includes(line, privmsg + 2)) {
if (irc_line_elem_equals(line, privmsg + 2, "-q")) {

View File

@ -23,9 +23,9 @@
#include "util.h"
#include "md5.h"
extern int conf_log_level;
extern FILE *conf_global_log_file;
extern int conf_log_system;
int conf_log_level;
FILE *conf_global_log_file;
int conf_log_system;
void bipmkpw_fatal(char *msg, char *err)
{

View File

@ -62,7 +62,7 @@ void connection_close(connection_t *cn)
{
mylog(LOG_DEBUG, "Connection close asked. FD:%d (status: %d)",
(long)cn->handle, cn->connected);
if (cn->connected != CONN_DISCONN) {
if (cn->connected != CONN_DISCONN && cn->connected != CONN_ERROR) {
cn->connected = CONN_DISCONN;
if (close(cn->handle) == -1)
mylog(LOG_WARN, "Error on socket close: %s",
@ -1171,7 +1171,6 @@ static connection_t *connection_init(int anti_flood, int ssl, time_t timeout,
static int ctx_set_dh(SSL_CTX *ctx)
{
/* Return ephemeral DH parameters. */
#if OPENSSL_VERSION_NUMBER < 0x30000000L /* 3.0.0 */
DH *dh = NULL;
FILE *f;
long ret;
@ -1204,31 +1203,7 @@ static int ctx_set_dh(SSL_CTX *ctx)
ERR_error_string(ERR_get_error(), NULL));
return 0;
}
#else
BIO *pbio = BIO_new_file(conf_client_dh_file, "r");
if (!pbio) {
mylog(LOG_ERROR, "Unable to open DH parameters, BIO_new_file(%s): %s",
conf_client_dh_file, ERR_error_string(ERR_get_error(), NULL));
return 0;
}
EVP_PKEY *param = PEM_read_bio_Parameters(pbio, NULL);
BIO_free(pbio);
if (!param) {
mylog(LOG_ERROR, "TLS DH Error: PEM_read_bio_Parameters(%s): %s",
conf_client_dh_file, ERR_error_string(ERR_get_error(), NULL));
return 0;
}
if (SSL_CTX_set0_tmp_dh_pkey(ctx, param) != 1) {
EVP_PKEY_free(param);
mylog(LOG_ERROR, "TLS DH Error: SSL_CTX_set0_tmp_dh_pkey(%s): %s",
conf_client_dh_file, ERR_error_string(ERR_get_error(), NULL));
return 0;
}
#endif
mylog(LOG_DEBUG, "TLS: succesfully set up DH params %s",
conf_client_dh_file);
return 1;
}
#endif

View File

@ -19,7 +19,7 @@
#define DEFAULT_BACKLOG 1
#define DEFAULT_ALWAYS_BACKLOG 0
#define DEFAULT_BL_MSG_ONLY 0
#define DEFAULT_BACKLOG_LINES 0
#define DEFAULT_BACKLOG_LINES 10
#define DEFAULT_BACKLOG_TIMESTAMP BLTSTime
#define DEFAULT_BLRESET_ON_TALK 0
#define DEFAULT_BLRESET_CONNECTION 0
@ -29,6 +29,6 @@
#define DEFAULT_LOG_LEVEL LOG_INFO
#define DEFAULT_LOG_FORMAT "%u/%n/%Y-%m/%c.%d.log"
#define DEFAULT_BIP_USE_NOTICE 0
#define DEFAULT_RECONN_TIMER 30
#define DEFAULT_RECONN_TIMER 120
#endif /* DEFAULTS_H */

View File

@ -33,7 +33,6 @@
extern int sighup;
extern bip_t *_bip;
static int irc_generic_error(struct link_server *server, struct line *line);
static int irc_join(struct link_server *server, struct line *line);
static int irc_part(struct link_server *server, struct line *line);
static int irc_mode(struct link_server *server, struct line *line);
@ -626,10 +625,6 @@ int irc_dispatch_server(bip_t *bip, struct link_server *server,
ret = irc_quit(server, line);
} else if (irc_line_elem_equals(line, 0, "NICK")) {
ret = irc_nick(server, line);
} else if (irc_line_is_error(line)) {
// IRC errors catchall (for unhandled ones)
// logs error to bip.log
ret = irc_generic_error(server, line);
}
if (ret == OK_COPY) {
@ -1030,31 +1025,6 @@ static int irc_cli_pass(bip_t *bip, struct link_client *ic, struct line *line)
return OK_FORGET;
}
static int irc_cli_cap(bip_t *bip, struct link_client *ic, struct line *line)
{
if (irc_line_count(line) < 2)
return ERR_PROTOCOL;
/* When we decide to enable actual capabilities, we'll have to handle CAP
* version, add a flag cap_started or similar, and handle CAP END.
*/
if (irc_line_elem_equals(line, 1, "LS")) {
WRITE_LINE2(CONN(ic), NULL, "CAP", "*", "LS");
} else if (irc_line_elem_equals(line, 1, "LIST")) {
WRITE_LINE3(CONN(ic), NULL, "CAP", "*", "LIST", "");
} else if (irc_line_elem_equals(line, 1, "REQ")) {
char *caps = irc_line_to_string_skip(line, 2);
if (caps) {
caps++;
WRITE_LINE3(CONN(ic), NULL, "CAP", "*", "NAK", caps);
}
}
if ((ic->state & IRCC_READY) == IRCC_READY)
return irc_cli_startup(bip, ic, line);
return OK_FORGET;
}
static int irc_cli_quit(struct link_client *ic, struct line *line)
{
(void)ic;
@ -1433,8 +1403,6 @@ static int irc_dispatch_logging_client(bip_t *bip, struct link_client *ic,
return irc_cli_user(bip, ic, line);
} else if (irc_line_elem_equals(line, 0, "PASS")) {
return irc_cli_pass(bip, ic, line);
} else if (irc_line_elem_equals(line, 0, "CAP")) {
return irc_cli_cap(bip, ic, line);
}
return OK_FORGET;
}
@ -1480,17 +1448,6 @@ static int origin_is_me(struct line *l, struct link_server *server)
return 0;
}
static int irc_generic_error(struct link_server *server, struct line *line)
{
if (irc_line_count(line) == 4)
mylog(LOG_INFO, "[%s] IRC error: %s", LINK(server)->name,
irc_line_elem(line, 3));
else
mylog(LOG_INFO, "[%s] IRC error: %s", LINK(server)->name,
irc_line_to_string(line));
return OK_COPY;
}
static int irc_join(struct link_server *server, struct line *line)
{
char *s_nick;

View File

@ -16,8 +16,6 @@
#include "line.h"
#include "util.h"
char *_irc_line_to_string(struct line *l, int skip_first);
// TODO resolve assuming signed overflow does not occur when changing X +- C1
// cmp C2 to X cmp C2 -+ C1
#pragma GCC diagnostic ignored "-Wstrict-overflow"
@ -78,19 +76,6 @@ void irc_line_append(struct line *l, const char *s)
}
char *irc_line_to_string(struct line *l)
{
return _irc_line_to_string(l, 0);
}
char *irc_line_to_string_skip(struct line *l, int skip_first)
{
if (skip_first >= irc_line_count(l)) {
return NULL;
}
return _irc_line_to_string(l, skip_first);
}
char *_irc_line_to_string(struct line *l, int skip_first)
{
size_t len = 0;
int i;
@ -98,7 +83,7 @@ char *_irc_line_to_string(struct line *l, int skip_first)
if (l->origin)
len = strlen(l->origin) + 2;
for (i = skip_first; i < array_count(&l->words); i++)
for (i = 0; i < array_count(&l->words); i++)
len += strlen(array_get(&l->words, i)) + 1;
len += 1; /* remove one trailing space and add \r\n */
len++; /* last args ":" */
@ -110,7 +95,7 @@ char *_irc_line_to_string(struct line *l, int skip_first)
strcat(ret, l->origin);
strcat(ret, " ");
}
for (i = skip_first; i < array_count(&l->words) - 1; i++) {
for (i = 0; i < array_count(&l->words) - 1; i++) {
strcat(ret, array_get(&l->words, i));
strcat(ret, " ");
}
@ -158,12 +143,6 @@ void irc_line_drop(struct line *line, int elem)
bip_cfree(array_drop(&line->words, elem));
}
int irc_line_is_error(struct line *line)
{
const char *irc_code = irc_line_elem(line, 0);
return (irc_code[0] == '4');
}
int irc_line_elem_equals(struct line *line, int elem, const char *cmp)
{
return !strcmp(irc_line_elem(line, elem), cmp);

View File

@ -90,7 +90,6 @@ void irc_line_write(struct line *l, connection_t *c);
void irc_line_append(struct line *l, const char *s);
struct line *irc_line_new_from_string(char *str);
char *irc_line_to_string(struct line *l);
char *irc_line_to_string_skip(struct line *l, int skip_first);
char *irc_line_to_string_to(struct line *line, char *nick);
void irc_line_free(struct line *l);
struct line *irc_line_dup(struct line *line);
@ -99,7 +98,6 @@ int irc_line_includes(struct line *line, int elem);
const char *irc_line_elem(struct line *line, int elem);
int irc_line_count(struct line *line);
char *irc_line_pop(struct line *l);
int irc_line_is_error(struct line *line);
int irc_line_elem_equals(struct line *line, int elem, const char *cmp);
int irc_line_elem_case_equals(struct line *line, int elem, const char *cmp);
void irc_line_drop(struct line *line, int elem);